URL: https://github.com/SSSD/sssd/pull/215 Title: #215: Support for non-POSIX users and groups
jhrozek commented: """ On Thu, Mar 30, 2017 at 02:53:18AM -0700, sumit-bose wrote: > I tested the patches with a plain LDAP setup and with and AD. In general they > work as expected and since I think the current code is ok I would ACK the > patches so that the following observations can be fixed later. > > First I have a question about the usage of [application/...] domains. Is > it expected that [application/...] requires inherit_from and cannot be > configured explicitly? If I use [domain/....] and domain_type = application > it work, but if I replace those two line by [application/...] SSSD won't > start. I didn't think about testing this, frankly. I tested a separate domain with the application type which might be useful if you want to e.g. use a different bind method but no this. I think it's a valid case that can be fixed later. > > 'sssctl config-check' does not like if [application/...] has other options > then inherit_from, even the example from the man page causes > '[rule/allowed_application_options]: Attribute 'ldap_user_extra_attrs' is not > allowed in section 'application/ad-app-2'. Check for typos.' Hmm, the regex uses (domain|application) in the rules, but I'm not sure if the regex supports the OR..apparently not.. > > When using [application/...] with the ad provider other domains than the one > the client is joined to are treated as POSIX domains even if only the > application domain is listed in in the domains option of sssd.conf. > > Given the last observation it might be useful to say in the man page that > currently the primary and mainly tested use-case is together with the ldap > provider and more complex use cases will be evaluated in upcoming releases? Yes, this is what we talked about with the ManageIQ developers. Since for now the use-case is a replacement for their LDAP connector, I think we should document this and check later. But with the autodiscovered domains, we also need to do some tricks to rename the autodiscovered domains to avoid clashes with subdomains from POSIX domains in a mixed setup. So if you agree, I will file three tickets for each of the cases and fix them later. I will just fix the manpage for now to make it clear only LDAP domains are supported now. """ See the full comment at https://github.com/SSSD/sssd/pull/215#issuecomment-290364050
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
